firewall: Make sure that only packets that go through the tunnel are passing OVPNBLOCK.

[people/teissler/ipfire-2.x.git] / src / initscripts / init.d / firewall

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 7db39085dde4a1248ec2149e5223bafabb1bda7b..dd678893738ff22b4ecba6ab886910ef01aeb598 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -1,5 +1,8 @@
 #!/bin/sh
 
+. /etc/sysconfig/rc
+. ${rc_functions}
+
 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
@@ -103,9 +106,10 @@ iptables_init() {
 
        # Block OpenVPN transfer networks
        iptables -N OVPNBLOCK
-       for i in INPUT FORWARD; do
-               iptables -A ${i} -j OVPNBLOCK
-       done
+       iptables -A INPUT   -i tun+ -j OVPNBLOCK
+       iptables -A OUTPUT  -o tun+ -j OVPNBLOCK
+       iptables -A FORWARD -i tun+ -j OVPNBLOCK
+       iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
        # OpenVPN transfer network translation
        iptables -t nat -N OVPNNAT
@@ -193,8 +197,6 @@ iptables_init() {
        iptables -t nat -N REDNAT
        iptables -t nat -A POSTROUTING -j REDNAT
 
-       iptables_red
-
        # Custom prerouting chains (for transparent proxy)
        iptables -t nat -N SQUID
        iptables -t nat -A PREROUTING -j SQUID
@@ -209,11 +211,6 @@ iptables_init() {
        iptables -N UPNPFW
        iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
 
-       # run local firewall configuration, if present
-       if [ -x /etc/sysconfig/firewall.local ]; then
-               /etc/sysconfig/firewall.local start
-       fi
-
        # Apply OpenVPN firewall rules
        /usr/local/bin/openvpnctrl --firewall-rules
 
@@ -228,19 +225,11 @@ iptables_init() {
        iptables -N POLICYOUT
        iptables -A OUTPUT -j POLICYOUT
 
+       # Initialize firewall policies.
        /usr/sbin/firewall-policy
 
-       # read new firewall
-       /usr/local/bin/firewallctrl
-
-       if [ "$DROPINPUT" == "on" ]; then
-               iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
-       fi
-       iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-       if [ "$DROPFORWARD" == "on" ]; then
-               iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
-       fi
-       iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+       # Install firewall rules for the red interface.
+       iptables_red
 }
 
 iptables_red() {
@@ -292,15 +281,46 @@ iptables_red() {
                iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
 
        fi
+
+       # Reload all rules.
+       /usr/local/bin/firewallctrl
 }
 
 # See how we were called.
 case "$1" in
   start)
+       boot_mesg "Loading firewall modules into the kernel"
+       modprobe iptable_nat || failed=1
+       for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
+               modprobe $(basename $i | cut -d. -f1) || failed=1
+       done
+       for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
+               modprobe $(basename $i | cut -d. -f1) || failed=1
+       done
+       (exit ${failed})
+       evaluate_retval
+
+       if [ -e /var/ipfire/main/disable_nf_sip ]; then
+               rmmod nf_nat_sip
+               rmmod nf_conntrack_sip
+               rmmod nf_nat_h323
+               rmmod nf_conntrack_h323
+       fi
+
+       boot_mesg "Setting up firewall"
        iptables_init
+       evaluate_retval
+
+       # run local firewall configuration, if present
+       if [ -x /etc/sysconfig/firewall.local ]; then
+               /etc/sysconfig/firewall.local start
+       fi
        ;;
   reload)
+       boot_mesg "Reloading firewall"
        iptables_red
+       evaluate_retval
+
        # run local firewall configuration, if present
        if [ -x /etc/sysconfig/firewall.local ]; then
                /etc/sysconfig/firewall.local reload